Sessions or Cookeies for Security

Hi all,

I have users with different levels of security sharing the same machine.
I want to force  alogin if the browser is closed.  What is the best
way to go about this?

Patrick

The best way to do this would be with sessions, since cookies are made to do
the exact opposite of this (Cookies are for "remembering" things if the
browser is closed)

With sessions, if the browser closes, the client will NOT remember anything
and will have to enter a login again.


"Patrick" <pknews@kirks.net> a écrit dans le message de
news:c3mjna$sa6$1@sparta.btinternet.com...
> Hi all,
>
> I have users with different levels of security sharing the same machine.
>     I want to force  alogin if the browser is closed.  What is the best
> way to go about this?
>
> Patrick

This is quite an interesting subject though

I've been developing in ASP as well, for a while now, and in ASP, session
depend on the user having cookies enabled, whereas PHP doesn't. Isn't that
rather ironic?
And also, a session in ASP only lasts 20 minutes by default, which is rather
irritating if you need to read large pages, and then haveto re-login to goto
the next page. I think when I go down on my knees tonight, I'll say a
special thank-you for PHP :)

--

Kind Regards
Rudi Ahlers
+27 (82) 926 1689

For as he thinks in his heart, so he is. ... (Proverbs 23:7)
"Olivier Bellemare" <__NOSPAM__olivier.bellemare__NOSPAM__@cgocable.ca>
wrote in message news:eUA7c.178064$2g.8783@charlie.risq.qc.ca...
The best way to do this would be with sessions, since cookies are made to do
the exact opposite of this (Cookies are for "remembering" things if the
browser is closed)

With sessions, if the browser closes, the client will NOT remember anything
and will have to enter a login again.


"Patrick" <pknews@kirks.net> a écrit dans le message de
news:c3mjna$sa6$1@sparta.btinternet.com...
> Hi all,
>
> I have users with different levels of security sharing the same machine.
>     I want to force  alogin if the browser is closed.  What is the best
> way to go about this?
>
> Patrick

"Patrick" <pknews@kirks.net> wrote in message
news:c3mjna$sa6$1@sparta.btinternet.com...
> Hi all,
>
> I have users with different levels of security sharing the same machine.
>     I want to force  alogin if the browser is closed.  What is the best
> way to go about this?
>
> Patrick

What I have done in the past, is used cookies.  Set the expiration time to
zero.  So when they leave the site and close the browser, they will be
forced to login.  I use this on my managers page.  At the top of each
managers page, I have code that looks for the cookie, and the content of
that cookie.  If it is there, it displays the page.  If it is not, it kicks
them back to the login page.  To make things a little more secure (in my
opinion) I have the "username" be the cookie name, and the "password" be the
content of the cookie.  The advantage of that, is you hard code the
information into your PHP.  Any someone trying to guess logins and passwords
would have an infinite number of possibilities.  Hope this makes sense to
you.

Lee

> "Patrick" <pknews@kirks.net> a écrit dans le message de
> news:c3mjna$sa6$1@sparta.btinternet.com... 
>
>

In article <eUA7c.178064$2g.8783@charlie.risq.qc.ca>,
"Olivier Bellemare"
"<__NOSPAM__olivier.bellemare__NOSPAM__@cgocable.ca> wrote:

> The best way to do this would be with sessions, since cookies are made to 
do
> the exact opposite of this (Cookies are for "remembering" things if the
> browser is closed)
>
> With sessions, if the browser closes, the client will NOT remember anythin
g
> and will have to enter a login again.
>
>

But my browser (all of them on the Mac) uses a cookie to track a
session.  Granted that cookie goes away when the browser closes, but
they're still using cookies.  AFAIK, unless you use a POST and a hidden
field between forms, there's no stateless way to maintain session
information between pages.

--
DeeDee, don't press that button!  DeeDee!  NO!  Dee...

"Michael Vilain <vilain@spamcop.net>" wrote:
[...]
>
> But my browser (all of them on the Mac) uses a cookie to track a
> session.  Granted that cookie goes away when the browser closes, but
> they're still using cookies.  AFAIK, unless you use a POST and a hidden
> field between forms, there's no stateless way to maintain session
> information between pages.
>
Thanks all.